Well, hello, everybody. Good morning. Thank you for coming to this session about attacking
Internet connection in IPv6 network. I'm from Spain. This is the sixth year that I'm speaking
here in DEF CON. And year after year, I've been before delivering the talk, I've been
trying to convince you to come into my country. How many of you have been to Spain in the
last six years? Please, hands up. Hey, very well. Did you enjoy Spain? Yeah? Well, for
the rest of you, I've been trying year after year to convince you, talking about the beaches,
the parties, the beaches, the parties, the bullfighters and so on. And this year I'm
going to try a different approach. So I'm going to try to convince you to visit my country
doing a quick summary about the history of Spain.
The history of Spain.
I'm going to talk about the history of Spain in only one minute. Is that okay for you?
Well, 2,000 years ago, Spain was a Romanian country. In fact, we have some of the best
Roman emperors born in Spain, like Trajano and Adriano. And if you visit Spain, you can
discover in the middle of the city a lot of Roman monuments like this in Segovia, and
if you see this theather in Merida, all countries are full of Roman monuments. Centuries after,
Spain was a Medieval country. And if you visit the country and you will find a lot of castles.
Actually there are hundreds and hundreds of castles. And you can visit all of them,
even if you can't buy it if you may have enough money because some of them are for selling.
It's true, it's not a joke. infact after that, Spain was a research production and
an Arabic country. Seven centuries being an Arabic country. And if you visit Spain, you
will discover that there are a lot of mesquitas around the country with beautiful monuments
in all the country. And after that, Spain was an empire. Probably you know it. And like
Spain was an empire, all great artists wanted to work for the empire. So in Spain there
are a lot of museums with great artists, paintings like this. So are you going to visit Spain,
please? Okay. Well, we are not an empire anymore, as you probably know. So let's talk about
FOCA. How many of you know FOCA? How many of you love FOCA? Yeah. Well, today I'm going
to talk about another FOCA. It's not the FOCA that you probably know. It's the ‑‑ it's
an evil FOCA.
And it's a FOCA based on hacking networks. The idea of this tool is that probably most
of the users any time in their life have tried a very dangerous command in their operating
system, which is the IP config. Have you ever tried this command? It's very dangerous
and very difficult to understand this command. Because, well, as you can see, it's in Spanish,
because Spanish is better. And as you can see, there is a special magic in the
result you can see. Because if you ask to any user that type this command what is the
IP address, all users are going to say 192.168.1 and so on. Nobody can see the IP address
on top of the list. Have you seen that IP address? The big one? Yeah? Most of you said
when you realize there is something on top of the IP address, do something like this.
Well, the truth is that in all Windows operating systems, IPv6 is working by default.
It's turning on.
So if you go to test your network configuration, you can realize that IPv6 is turning on and
by default is configured like this.
It's in Spanish, you know, but that means automatically configuration.
That means that IPv6 is waiting to be configured to run on the machine.
But it is working.
And if you test the routing table, you can realize that you have all the routing table
for IPv6 installed in your computer.
And even one of the most dangerous commands, the ping.
Ping is working.
So I'm going to do a demo, an easy one.
I got two machines.
One of those is the IPv6.
It's this blue.
The blue is the server.
And as you can see, we have an IPv6 address and an IPv4.
The IPv6 is FA80 whatever.
And the IPv4 is 192.168.10.1.
And if we go to the client, to the other machine, which is the red one, and try to do a ping
to the IPv4.
It's working.
It's working.
It's working.
It's working.
192.168.10.1.
It is working.
If we try to discover what is the name of the server we got that the name is shared,
if we try the IPv6 address, of course, it is working as well.
And if we do something like ping the name.
Then.
Magic occurs.
Because by default, Windows try to connect using IPv6.
But probably all of you are aware of this.
Is this true?
Yeah.
And you are taking care of IPv6 attacks for sure.
Well, this said, this said, the idea of IPv6 is that in Windows machine, both protocols
are working at the same time.
Depending on the configuration of your network, the machine is going to use IPv4 or IPv6.
If you have an IPv4 network fully configured with a domain controller with the DNS and
all the computers are in the DNS and all of them are working with the IPv4, then the
network is going to work as an IPv4 network by default.
But if you are in a local network connected with all the computers from different parts,
they are not in the same DNS.
They are not in the same.
If you are in domain controller, then IPv6 will appear a lot of times.
This is due because in Windows Vista, Microsoft added this protocol, locally manager, which
is a protocol that tries to discover what is the IP address of a computer in the network.
It is working only in the local network, in the local segment, and you can see it's trying
to discover the IP address of the computer.
It's trying to query the DNS as an IPv6 record, it's trying to do a broadcasting discovery.
Whatever.
In the end, when locally manager discovers the IP address of the destination server,
if it's possible to connect using IPv6, then it's going to connect.
Once we have the IP address, we need the physical address.
To discover the physical address in IPv4, we are using ARP, but ARP is not working in
IPv6 anymore.
So if you have security solution to detect man in the middle attacks with ARP, it's very
good for IPv4, but not for IPv6.
Because in IPv6, we are using a different protocol, which is network discovery protocol
based in two different messages.
Which are?
Network solicitation and network advertising.
In the end, network solicitation and network advertising are working at the same way that
ARP, but it's not ARP.
That's important.
We got a table also in which we connect the IPv6 address with the physical address.
In IPv4, it's the ARP table.
In IPv6, it's the network table, and it's in your computer.
You can query the table.
You can query the table using that command.
This set, how it works is like this.
Someone is trying to discover the IP, the physical address of an IPv6 computer, then
send messages to FF02, which is multicast address, querying for the IPv6 address in
which it's interested.
In this case, this one.
The computer with this IPv6 address.
In this case, this one.
In this case, this one is going to answer with the physical address.
It's very easy to understand.
It's the same than ARP.
That means perform a man in the middle attack in this environment is very easy.
We only need to send two packets like ARP.
It's very easy.
The idea is that we need to send a packet to one of the computers spoofing the IPv6
address of the other victim.
And then do the same with the IPv6.
With the other machine.
Only two packets and we have the man in the middle like in ARP.
So let's do a very easy demo, a quick demo.
It's level one.
Very easy to do and very easy to understand in this environment.
But before doing it, you have to take into account that we are Spaniards, so we are lazy.
We need tools for work.
So we created the evil FOCA.
Okay?
In this demo.
We have three machines.
The blue one is a server.
The red one is the victim, is the client.
And the black one is the evil FOCA.
So we only need to do something like open Wireshark, open evil FOCA, yes, then evil
FOCA discovered the network.
Yes.
Just drag, drag, click, and that's okay.
Okay?
So if we go to Wireshark, if we go to Wireshark in this machine, we start to capture information,
capture interfaces, image.
internal. And we do something very easy. Go to the client, and from the client, do slash,
slash, server, connect to the server, open a document with my password, and then we go
to the FOCA, to the old FOCA. We only need to do follow TCP stream and that's it. We
got all the information and we can use the find to search for the password. And here
it is. Okay. Very easy. Well, this is very easy. It's level one. I'm going to do a stop
the server. I don't need the server anymore. And now we are going to get into the level
two.
The idea of level two is, okay, we got the IPv6 in the network, but I want to be a man
in the middle when the big thing connects to the Internet which is working in IPv4.
And that's the challenge. Well, this is the demo that I did it, just in case that it didn't
work it. And the second demo is a Slack attack. Yesterday there was a talk talking about this.
We released this tool in March. It's public, this tool in March, with this attack. And
the idea is quite simple.
In IPv6, there are a lot of computers. There are big IP address. And it would be impossible
for sysadmin to manage all the roads on the network. I have 1,000 computers and 300 routers.
It would be a mess. So the idea from the beginning is that you don't have to worry
about the default gateway because we are going to create a protocol to configure the gateway
on the computers. That protocol is Slack. That means it's the
same. And the idea is quite simple. When a computer with IPv6 needs to connect to the
Internet, ask for a router with a package called router solicitation. And if there is
a router in the network, answer with a neighbor advertisement saying, hey, here a router,
here a friend. After that, the computer configures automatically an IPv6 network that has connectivity
to the router and configures the router as the default gateway. Very easy to do, very
easy to understand. That protocol only configures the default gateway, but not the DNS. You
need to configure the DNS. Not always. You can use also the rogue DHCP to configure
the DNS, but it's not completely necessary because in Windows machines, there is a special
protocol, which is the DNS auto discovery. So if your computer doesn't have any DNS,
the DNS configures by default, use these three IP address. That means that if someone
configures that IP address in your network, it will be the DNS in your network. You need
to take care of this IP address. So to do the attack is very easy because all web browsers
are ready to work with IPv6. Well, this is Mozilla, which is ready for IPv6. In Google
Chrome, it's deactivated.
IPv6 is deactivated by default.
So if the guy is using Google Chrome, you cannot do this attack.
You can do the next one, don't worry.
And there are several situations in which IPv6 attacks are not working very well because
Windows have a very special behavior.
If you have IPv4 and IPv6 fully configured, I mean with the DNS and the default gateway,
then Windows use the DNS configured in the IPv4 protocol.
It makes sense because in the end DNS is supposed to be only one copy in the whole Internet.
So it doesn't matter I'm connecting to the DNS using IPv4 or IPv6.
And in Windows, they choose to use IPv4 protocol to connect to the DNS.
If you don't have IPv4 fully configured, for instance, the DHCP is falling to give you
the DNS.
Then if we configure IPv6, the computer is going to use the IPv6.
But in some cases, by default, it's searching for DNS record of IPv4 address.
That means that if we want to create a special man in the middle using IPv6 between the
client and the man in the middle, we need to reconstruct the answers to IPv6.
And, of course, if we got IPv6 and IPv4 only in local link ‑‑ sorry, I'm sick.
And if we got IPv6 and IPv4 with local link, then the DNS is going to be used using IPv6
and it's going to be querying DNS of IPv6 address.
But it's very easy to change the behavior.
Because if the client asks for a DNS query searching for an IPv4, you can respond with
an IPv6 and everything goes well.
So don't worry at all.
So what is EvilFoca doing in this attack?
The idea is quite simple.
EvilFoca is going to be this guy using network relation 6 to 4 and DNA 6 to 4.
The idea is that we are going to configure ‑‑ ooh!
We are going to configure this connection.
We are going to send a Slack attack to configure this as the default gateway.
Then it automatically is going to configure the DNS autodiscovery to connect to the Internet.
And DNS autodiscovery is an IPv6, so we are in the middle.
We are going to capture all DNS queries.
So when he asks for an IPv4 URL, for instance, www.devcon.org, which is only working in IPv4,
then that query is going to be sent to the default gateway.
We are going to intercept the query.
We are going to ask for the real IPv4 on the Internet.
Then we are going to convert the IPv4 to an IPv6 address.
Okay.
This is added to the client, and then the client is going to send the IPv6 query to
the default gateway, and we are going to translate the IPv6 to IPv4 and send to the server and
then get the answer, and then ‑‑ it's very easy to understand.
But you know, we are Spanish.
So let's do the demo.
The idea in the first demo, we only need to send two packets, one for one bit and one
for another.
Okay.
So we need to send a packet to configure the Slack attack, and then we need to do all the
translation.
And in evil FOCA, we need to do this.
First of all, I'm going to spend a lot of money using my Spanish mobile phone, but I
need Internet connection.
So connect.
Okay.
Let's see.
If I have Internet connection ‑‑ please, please, please, okay, I got Internet connection.
Then I got the evil FOCA.
I got the evil FOCA and the victim.
And I'm going to do something like ‑‑ open evil FOCA.
I'm going to the victim.
I'm going to reset the network adapter just in case that something was stored from previous
demo.
That's all.
And all that we need to do is something like go to evil FOCA and then select Slack, just
click here and start.
That's all.
That's all.
If we go to ‑‑ if we try to do something like ‑‑ this is in the host machine.
This is the host machine.
If I try to connect to the DNS and search for an IPv6 address for DEFCON.org.
As you can see, there is not an IPv6 address for DEFCON.org.
And if we go to the victim and we open the web browser.
And we search for www.google.com or DEFCON.org.
Everything is working, Google and DEFCON.
And if we search for the IP address that we are using to connect is ping www.DEFCON.org.
It's an IPv6 because we are changing the IPv4 to IPv6.
And you can see we are browsing the Internet.
Well, this is the demo, just in case.
Level 3.
Well, this is level 3.
We have not published this version of evil FOCA yet.
But next week you will have this version available.
And the idea is to use the web proxy auto discovery protocol.
The idea is quite simple.
By default, all web browsers, Google Chrome, Internet Explorer, Mozilla Firefox, and so
on, by default are searching for a web proxy to configure the Internet connection.
To discover what is the web proxy, they are searching for a special record in the DNS,
which is web proxy auto discovery.
WPAD.
And then.
Connect to that IP address, and that IP address is supposed to have a server, and the server
gives a special file, and that special file gives the IP address of the web server.
In this case, of the proxy server.
In this case, we are going to use an IPv6 proxy with evil FOCA.
And the idea is that evil FOCA is going to do everything for you.
Evil FOCA configures the DNS answer for WPAD.
WPAD configures a rogue proxy server listening in the IPv6 network and reroutes all traffic
between IPv4 and IPv6.
So let's do the demo.
And then we only need to ‑‑ I'm going to disable and enable the network interface.
I'm going to ‑‑
Everything from the beginning.
Disable.
And enable.
Okay.
And then.
Go to evil FOCA.
Open evil FOCA.
And then we select W web proxy auto discovery and click.
And that's it.
And right now.
We have here.
We are working the man in the middle attack for web proxy auto discovery.
Then we need to wait until web proxy auto discovery query appears.
Let's open Internet Explorer.
Let's close Internet Explorer.
And let's open it again.
And let's see.
Okay.
Now the proxy is up.
And the client.
The client has requested the file.
So if everything is okay, we can do something like Google.com.
Let's see if the Internet is working very well.
Google.
Okay.
Okay.
Google.
Google.
Google.
Internet, please.
Be a good guy.
Google.
Here it is.
Okay.
Now.
We are doing the man in the middle again using different protocol.
But we need ‑‑ we wanted more.
So this was the demo.
The demo was that the client sent ‑‑ the victim sent for WPAD a record.
Then we answered saying, no, no, it's not an IPv4, it's an IPv6.
Then the victim asked again about the WPAD record, but in this case searching for an
IPv6 address.
We confirmed, yes, this is the IPv6 of the web proxy of the discovery server.
Then the victim connects to the web server requesting the double ‑‑ the pack file
with information about the proxy.
We sent that information with the IPv6 and the port in which AbleFoca is listening.
And the rest is just capturing the data.
Bonus level.
What happened with HTTPS connection?
Well.
There are several options.
First one is to do an SSL strip.
The idea is that we analyze all HTML pages and remove the S of the links.
The second one is to use a fake digital certificate and trying to cheat the user to click on,
okay, I accept this digital certificate.
And the third one is to do a bridging HTTPS.
That means that AbleFoca is connecting to the IPv6.
To the server using HTTPS.
And the client is connecting to AbleFoca using HTTP.
And FOCA is doing SSL strip and bridging HTTPS so far, and we added a special feature
that is to remove the HTTPS links in Google results and also the redirect.
So let's do the demo.
We got here Google.
Okay.
If we try to do open Gmail, we are going to have an HTTP link, but if we search for Facebook,
we have the Facebook in Spanish, you know?
Facebook in Spanish.
And the link is an HTTP.
We only need to click on it.
And then go to AbleFoca.
Okay.
Okay.
Okay.
Okay.
Open Wireshark.
It is.
Open Wireshark.
Capture interface.
Start.
And we got all traffic here.
And we only need to go here and test.
Oh.
Come on.
This is awesome.
still loading. Evil. Where is my password field? Evil. Where is the enter? No, don't
remember. And if we go to the other part and we search for HTTP method request method
equal equal post, we got the user and password of Facebook. Here it is.
Well, it's man in the middle attack in IPv6, in IPv4 network using IPv6 in a Spanish way.
And this was the demo. In this tool we also added other different attacks just in case
like denial of services in IPv6, man in the middle attacks in IPv4, denial of service
in IPv6, DNS, hijacking. We are going to add also to inject a JavaScript to create
a JavaScript bond net. Remember the last year talk.
And just a conclusion, IPv6 is in your network. Configure it or kill it. And it's not easy
to kill it. IPv6, if you have security tools for IPv4, probably they are not working for
IPv6. And right now there are a lot of security tools using IPv6, like itopera, which is a
poor scanning using IPv6. We got several vulnerabilities in IPv6 products and so on.
And I would like to give big thanks to the people behind the hacker choice because they
did a very, very, very good job with IPv6 tools. If you got backtrack or Kali, use it
because they got a lot of good tools.
And even. . .
COPY is wonderful to test all solutions. And the last word is for street fighter. Who
in the hell designed a Spanish fighter, half bullfighter, half Wolverine, with a hockey
mask. It doesn't make sense at all.
See you next year.
